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(54) Bus isolator for industrial control system providing intrinsically safe operation 



(57) Low voltage logic circuitry is used to permit an 
entire subsystem of an industrial controller to be placed 
within a hazardous environment (20) to receive a high 
speed serial link (28) and undertake the control of mul- 
tiple control points without expensive and awkward long 
cable runs and electrically isolating circuits for each 
cable run. Energy and bandwidth limiting on the high 
speed link allows power levels commensurate with high 



data rates yet intrinsic safety of the media allowing it to 
freely pass in and out of the hazardous area, A mixture 
of intrinsically safe and non-intrinsically safe equipment 
(24' and 24) on the same logical rack is allowed through 
a bus isolator (92) providing isolated data communica- 
tion in backplane fashion between modules while wholly 
isolating power transmission along the backplane. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to industrial control 
systems and in particular to an industrial control system 
for use in explosive or other hazardous environments. 

Industrial controllers are special purpose comput- 
ers used for controlling factory automation and the like. 
Under the direction of a stored program, a processor of 
the industrial controller examines a series of inputs 
reflecting the status of a controlled processor or device 
and changes outputs affecting control of the controlled 
process or device. 

Generally industrial controllers are constructed in 
modular fashion to accommodate different applications 
requiring different numbers and types of input/output 
(I/O) circuits as is determined by the particular device or 
process being controlled. In such modular systems a 
number of different functional modules connect together 
through a common backplane in a rack or the like to 
share data and power. 

Often a controlled process may require control 
points (e.g., sensors or actuators) in a environment 
exposed to combustible vapors or airborne particles. In 
such hazardous environments, electrical arcing or 
excessive temperature in electrical equipment can 
cause an explosion. Electrical equipment intended for 
use in such hazardous environments must conform to 
certain safety standards intended to reduce the chance 
or effect of an explosion. Under such standards, the 
equipment may be placed in a special housing that is 
flame-proof or explosion-proof. Alternatively, the hous- 
ing may be charged with an inert gas to prevent the infu- 
sion of explosive fumes. Other methods of protection 
are also available for use in hazardous environments, 
one of particular note is intrinsic safety. 

Equipment that is designed to be "intrinsically safe" 
generally indicates that the electrical energy used by 
the equipment is properly limited or constrained to avoid 
the occurrence of sparks with sufficient energy to ignite 
a flammable atmosphere during a fault condition, and 
the surface temperatures are contained to be below 
those needed to cause spontaneous ignition. Fault con- 
ditions must be considered as well as the energy stor- 
age characteristics of the components of the 
equipment 

A number of agencies certify equipment to an intrin- 
sic safety standard. See generally Underwriter's Labo- 
ratories document UL-913,1988, Intrinsically Safe 
Apparatus And Associated Apparatus For Use In Class 
I, II, and III, Division I, Hazardous (Classified) Locations. 
See also. National Electrical Code Handbook 1993, 
Article 500, Hazardous (Classify) Locations, Article 504, 
Intrinsically Safe Systems, Article 505, Class I, Zone 0, 
1 and 2 Locations. See also. FM CI. No. 3600, March 
1 989, Electrical Equipment for Use in Hazardous (Clas- 
sified) Locations General Requirements and CI. No. 



3610, October 1988, Intrinsically Safe Apparatus and 
Associated Apparatus for Use in Class I, II, III, Division 
1 Hazardous (Classified) Locations. See also. 
EN50014:1992, Electrical Apparatus for Potentially 

5 Explosive Atmospheres, EN5G020:1994, Electrical 
Apparatus for Potentially Explosive Atmospheres - 
Intrinsic Safety T and EN50039:1980, Electrical Appa- 
ratus for Potentially Explosive Atmospheres - Intrinsi- 
cally Safe Electrical Systems T. These documents are 

10 hereby incorporated by reference. 

The terms "intrinsic safety" and "intrinsically safe" 
as used herein do not indicate that the equipment 
presents no danger or that it meets the above standards 
but only that it is designed to permit use in some haz- 

15 ardous environments without additional precautions 
such as explosion-proof casings and the like. 

In a typical control system where a portion of the 
controlled process is in a hazardous area, the industrial 
controller will be placed a distance away in a "safe" or 

20 non-hazardous area free from combustible gases. Input 
and output signals to and from the portion of the control- 
led process in the hazardous area are carried by long 
cables leading from the industrial control system to the 
respective portion of the controlled process. Where the 

25 components of the controlled process require high 
power levels, those components must be shielded by 
specialized housings to either protect them from com- 
bustible gases or to contain any explosion caused by 
arcing. 

so Those components in the hazardous area which 
use low levels of electrical power (insufficient to create 
an arcing hazard) must still be protected from possible 
fault conditions where a high voltage from the non-haz- 
ardous area inadvertently is conducted along the cables 

35 into the hazardous area. For this reason cables passing 
into the hazardous area from the non-hazardous area, 
even for low power components, must first pass through 
a barrier circuit or an isolating circuit (penetrator cir- 
cuits). 

40 Barrier circuits shunt hazardous energy to special 
ground connections. In a typical barrier circuit, electrical 
power passing from the non-hazardous area to the haz- 
ardous area will pass through a fuse to the cathodes of 
one or more voltage limiting Zener diodes having their 

45 anodes connected to ground. High voltages are thus 
shunted safely to ground. Current into the hazardous 
area is limited by a resistor following the voltage limiting 
Zener diodes. Isolators work by separating the two 
halves of a conductor so there is no direct current path 

so for any hazardous energy from the non-hazardous side 
to the hazardous area. A typical isolator may use trans- 
formers, capacitors or optical-type isolators as its 
means of separating two halves of a conductor. 

When there are many points of control in a hazard- 

55 ous area, the cost to the control system may be sub- 
stantial driven by the cost of the barriers or isolators 
(both in materials and in installation) for each control 
point, the long runs of wiring, ad the need for a sepa- 
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rate, removed non-hazardous control area in which to 
place the control system. 

BRIEF SUMMARY OF THE INVENTION 

The present inventors have recognized that the 
modem digital logic used in industrial controllers is of 
such low voltage so as to be intrinsically safe with little 
modification. Accordingly, it is possible to place a sub- 
stantially complete industrial controller wholly within the 
hazardous area. In this way, the need for expensive bar- 
riers or isolators, long wire runs, and separate non-haz- 
ardous control areas can be avoided. 

Whereas most control systems for hazardous areas 
require some communication with non-hazardous 
areas, the present invention also provides for a high 
speed serial link to communicate between the hazard- 
ous and non-hazardous areas. The serial link carries all 
the data previously carried over individual isolated wir- 
ing runs but requires far fewer penetrator circuits. 

When the controller or a portion of the controller is 
placed in the hazardous area, there may be a need to 
control one or more points that are not intrinsically safe. 
The present invention allows a mixing of intrinsically 
safe and non-intrinsically safe functional modules on 
one logical rack through the use of a bus isolator. This 
permits a single logical I/O rack, for example, to support 
both hazardous and non-hazardous control points bout 
the complexity or cost of multiple I/O racks with sepa- 
rate connections to the serial link. 

The industrial controller of the present invention 
also provides a source of intrinsically safe power to con- 
trol points of the controlled process rather than requiring 
a independent source of power through a barrier or iso- 
lator from the non-hazardous area. Normally a source 
of power with sufficient voltage to use with the controlled 
process (e.g., 19 volts)could not provide both the power 
(voltage times current) needed to run the logic of the 
industrial controller and the power consumed by the sig- 
nals to and from the controlled process. The present 
inventors have recognized, however, that greater power 
can be obtained at low voltages, sufficient to run both 
the industrial controller and the controlled points, with- 
out violating the requirements that the power be intrinsi- 
cally safe. Once received by the controller, the power is 
stepped up for use with control points. This later power 
to the control points is monitored and rated to ensure 
that it remains intrinsically safe even with possible fault 
conditions at the control point. This recognition of the 
possibility of providing greater intrinsically safe power at 
lower voltages also allows the entire contr oiler, including 
the processor, and not just the I/O modules to be placed 
within the hazardous area. 

Specifically, the present invention provides an 
industrial controller reading inputs from an industrial 
device and providing outputs to the industrial device 
under the direction of a stored control program. The 
industrial controller includes an energy limiting power 



supply meeting intrinsically safe power limits and a 
serial network port for receiving and transmitting data 
over serial network media using signals satisfying intrin- 
sically safe power limits. A processor receiving power 

5 from the energy limiting power supply, executes a stored 
control program controls a plurality of interface circuits 
also receiving power from the energy limiting power 
supply and communicating electrical signals satisfying 
intrinsically safe power limits between the industrial 

w controller and the industrial process. Low voltage digital 
circuitry receiving power from the energy limiting power 
supply communicates data between the serial network 
port and ones of the interface circuits. 

Thus it is one object of the invention to limit the 

is number of separate conductors passing between non- 
hazardous areas and hazardous areas by placing the 
entire controller in the hazardous area. 

The serial network port may bandlimit the data sig- 
nals transmitted so as to selectively limit the power of 

20 low frequencies of those signals. 

Thus it is another object of the invention to allow 
use of a high speed serial data link, normally requiring 
increased power in the transmitted signals, by reducing 
low frequency components believed to be more likely to 

25 present ignition hazards. 

The serial network port may also limit the instanta- 
neous power of the data signals and may galvanically 
isolate the industrial controller from the data signals of 
the serial network media. 

30 Thus it is another object of the invention to allow the 
serial network media to pass freely in and out of the 
hazardous area between intrinsically safe and non- 
intrinsically safe equipment by ensuring that power 
transmitted into and received from the serial link is 

35 intrinsically safe. 

A bus isolator having a first and second backplane 
connector configured to mate to a first bus of the first 
industrial control component and a second bus of the 
second industrial control component may provide gal- 

40 vanic isolation between those backplane connectors 
and an energy limited power supply meeting intrinsically 
safe power limits to provide power to the second con- 
nector. 

Thus it is another object of the invention to permit a 
45 single logical I/O rack to contain both intrinsically safe 
and non-intrinsically sale I/O modes. The bus isolator 
ensures isolation between these modules and provides 
a source of safe power obviating the need for a second 
network connection. 
so The plurality of interface circuits in the industrial 
controller may be removably attached to a common bus 
so as to allow different functional modules to be placed 
in a given industrial controller. Each functional module 
may connect to power of the bus through isolation cir- 
55 cuitry. 

Thus is another object of the invention to ensure 
that power storage qualities of the individual modules 
do not combine to jeopardize the intrinsically safe qual- 
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ity of the industrial controller. 

The foregoing and other objects and advantages of 
the invention will appear from the following description. 
In the description, reference is made to the accompany- 
ing drawings which form a part hereof and in which s 
there is shown by way of illustration a preferred embod- 
iment of the invention. Such embodiment does not nec- 
essary represent the full scope of the invention, 
however, and reference must be made to the claims 
herein for interpreting the scope of the invention. 10 

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF 
THE DRAWINGS 

Fig. 1 is a simplified perspective view of a prior art is 
control system used when a portion of the control- 
led process is in a hazardous area and shewing the 
need for multiple penetrator circuits; 
Fig. 2 is a figure similar to that of Fig. 1 showing a 
more complex controlled process where the entire 20 
controller may be is placed directly in the hazard- 
ous area to reduce the need for multiple penetrator 
circuits and long wire runs; 
Fig. 3 is a schematic block diagram of the intrinsi- 
cally safe controller of Fig. 2 showing its receipt of 25 
hazardous power and distribution of safe power to 
its functional modules each of which is additionally 
isolated from a common backplane both in data and 
power, and showing a bus isolator for optionally 
connecting the backplane of the controller to an 30 
external rack in a non-hazardous area, and show- 
ing a communication module for connecting the 
intrinsically safe controller to a high speed serial 
link; 

Fig. 4 is a detailed block diagram of the communi- 35 
cation module of Fig. 3 showing power limiting and 
bandwidth limiting circuitry as renders the serial link 
intrinsically safe; 

Fig. 5 is a detailed block diagram of an I/O module 
of the controller of Fig. 3 showing its regulated 40 
power output; 

Fig. 6 is a plot of voltage vs. amperage indicating an 
intrinsically safe region as followed by the regulated 
power of the I/O module of Fig. 5; 
Fig. 7 is a detailed block diagram of the bus isolator 45 
of Fig. 3 showing the generation of intrinsically safe 
power and its interconnection and isolation of back- 
planes of I/O racks or controllers; 
Fig. 8 is a schematic representation of one use of 
the bus isolator of Fig. 7; and so 
Fig. 9 is a schematic representation similar to Fig. 8 
of a second use of a bus isolator of Fig. 7. 

DETAILED DESCRIPTION OF THE INVENTION 

55 

Referring to Fig. 1 , in a prior art control system, a 
industrial controller 10 includes a controller 12 and a 
remote I/O rack 24, both located in an area without haz- 



ardous materials present (non-hazardous area). The 
controller 12 has a plurality of functional modules 14 
including a processor 16 executing a stored program to 
control a controlled process 18, a portion of which is in 
a hazardous area 20 (an area with hazardous materials 
present). The remote I/O rack also includes a plurality of 
functional modules 14, which are principally I/O mod- 
ules 26. The modules 14 of the controller 12 and the I/O 
rack 24 communicate with each other via an internal 
backplane, not shown. 

The controller 12 may communicate with a control 
terminal 22 used to monitor the process and to enter 
and edit the stored program. The control terminal 22 
may also communicate with the remote I/O rack 24. The 
controller 12, remote I/O rack 24 and control terminal 22 
communicate via a high speed serial link 28 connecting 
communication modules 30 on each of the controller 1 2, 
remote I/O rack 24 and control terminal 22. 

Cables 32 from various of the I/O modules 26 pass 
through penetration circuits 34 from the non-hazardous 
area into the hazardous area 20 to receive input data 
from low power control points 36 or to provide low power 
actuation signals to those control points 36. A high 
power cable 38 passes from an I/O module 26 into an 
explosion-proof housing 40 to high power control point 
42. 

The prior art system generally requires long wire 
runs for cables 32 and 38, and costly multiple penetra- 
tion circuits 34. 

Referring now to Fig. 2, a substantially greater 
number of control points 36 may be handled on the con- 
trolled process 18 without the use of penetration circuits 
34 by making the I/O rack 24' intrinsically safe, placing 
the I/O rack 24* in the hazardous area 20, and placing a 
processor module 16' in the I/O rack 24* to provide for 
an industrial controller 10' wholly contained within the 
hazardous area 20. Only two principal penetrations of 
the hazardous area 20 are now required, one for serial 
link 28' connecting I/O rack 24' to the control terminal 22 
and one for non-intrinsically safe power 44 to enter the 
hazardous area 20. Because such power 44 is not 
intrinsically safe, supplemental shielding 46 must be 
provided up to the point where it exits out of the hazard- 
ous area 20. 

Referring now also to Fig 3, I/O rack 24' receives 
the non-intrinsically safe power 44 from isolator 48 
which convey non-intrinsically safe power 44 to intrinsi- 
cally safe power 50 by galvanically isolating non-intrinsi- 
cally safe power 44 from intrinsically safe power 50 and 
by providing limits to power flow through isolator 48 
according to techniques understood in the art. Gener- 
ally isolator 48 provides galvanic isolation through the 
inductive path of a transformer constructed with suffi- 
cient insulation and air gap to prevent a direct DC path 
between non-intrinsically safe power 44 and intrinsically 
safe power 50 in most anticipated over voltage situa- 
tions. Conventional current and voltage limiting tech- 
niques are then used to limit the power passing to 
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intrinsically safe power 50. These techniques may 
include use of a saturatable core transformer together 
with fuses, crowbar circuits and resistive and Zener lim- 
iting according to techniques well understood in the art. 

Intrinsically safe power 50 passes to internal back- 
plane 52 to power that backplane power lines 54 of that 
backplane 52 which also includes data lines 56. 
Attached to the backplane 52 are a plurality of functional 
modules 14' including a communication module 30\ a 
processor module 16* executing a stored control pro- 
gram, and several I/O modules 26'. Backplane 52 is 
modular and may be extended by attaching additional 
backplane sections to connectors on the backplane 52 
as is understood in the art. 

In distinction from the non-intrinsically safe I/O rack 
24 described with respect to Fig. 1 , the backplane 52 is 
intrinsically safe, operating with a intrinsically sale 
power source 50 and at voltages and currents suitable 
for normal logic level devices and coincidental ly, at 
intrinsically safe power levels. Referring now to Fig. 6, 
an intrinsically safe zone may be defined in terms of 
total current and voltage (i.e. power) beneath curve 73. 
Normally curve 73 is further discounted by a safety fac- 
tor. 

The curve 73 below ten volts is not well character- 
ized and therefore is shown by a dotted horizontal line. 
However, the present inventors recognize that sufficient 
power for operating an entire industrial controller (and 
providing power for the signals to and from the control- 
led process) can be made available to supply even com- 
plex logic level devices by using voltages below ten volts 
(and in fact in many cases operating at about five volts) 
that will be intrinsically safe. This power will be sufficient 
to operate high numbers of I/O in one module. The pos- 
sibility of placing the entire the industrial controller 10 in 
the hazardous area is thus rendered possible. 

The intrinsically sale standards consider not only 
the instantaneous voltages and currents used by the 
device but the potential for energy storage in capaci- 
tances or inductances (entity parameters) that would 
concentrate sufficient energy to create a spark or tem- 
perature (e.g., via resistive heating) sufficient to ignite 
gases in an explosive atmosphere. The backplane 52 is 
characterized as to inductance and capacitance to 
ensure such energy concentrations do not occur. On the 
other hand, the very modularity of the I/O rack 24\ 
allowing different functional modules 14' makes charac- 
terization of the energy storage capacity of the entire 
remote I/O rack 24* more difficult. Accordingly, each 
module 14' receiving power from power line 54 of back- 
plane 52 receives that power through an additional iso- 
lator 58 similar to isolator 48. In this way the backplane 
52 is isolated from potential energy storage of the mod- 
ules 14' and each module 14' is isolated from other 
modules 14'. Such isolation may be provided by an 
inductive coupling circuit such as a transformer with or 
without additional power limiting circuitry 

The isolation provided by isolators 58 also means 



that each control point 36 may be treated separately 
with respect to the intrinsically safe power determina- 
tion. Generally each I/O module may have a rated volt- 
age, current, capacitance and inductance indicating a 

5 maximum design additional capacitance, inductance or 
power added to the control point that will still provide 
intrinsically safe operation. So long as the control point 
has parameters less than these ratings, they may be 
used with the I/O module while preserving intrinsically 

io safe operation 

The data of the backplane 52 transmitted along 
data lines 56 is also isolated as it connects to the mod- 
ules 14' by isolator 60 which may be a capacitive or 
inductance-type isolator or, because relatively little 

15 power is transmitted in the data, by an optical isolation 
system such as is well known in the art. The risk of 
faults from shorts between the data lines and power 
lines, potentially communicating power along data lines 
56 between modules 14* is thus eliminated. 

20 The data lines 56 connecting the modules 14' are 
part of a multiple conductor bus structure, as is under- 
stood in the art, communicating words of data to mod- 
ules 14' as decoded by the communication module 30' 
receiving the data in serial fashion from the serial link 

25 28* Similarly, words of data produced by the modules 1 4' 
are collected and transmitted serially by communication 
module 30' (also known as adapter or gateway) on 
serial link 28'. Generally the communication module 30' 
collects multiple data values from the modules 14' and 

30 collects and formats them for serial transmission and 
takes serial transmissions and decodes them into multi- 
ple data value to be distributed to the modules 14'. 
Through this technique, an arbitrarily large number of 
control points 36 may be accommodated by the remote 

35 I/O rack 24' and the data communicated to and from the 
control points 36 collected and sent over a relatively lim- 
ited number of conductors of serial link 28'. The pas- 
sage of the serial link 28 to 28' into the hazardous area 
20 requires some protective circuitry as will be 

40 described, however, the need for individual penetration 
circuits 34 for each of the control points is effectively 
eliminated. 

Referring now also to Figs 3 and 5, an input module 
26' may provide a source of safe power to the control 

45 point 36 as derived from isolator 48 (shown in Fig. 3) 
through isolator 58. By providing power on output line 
62, the need for an additional penetration circuit 34 to 
bring power to control points 36 which require power is 
thereby avoided. For example, an output line 62 may 

so provide power to a sensor which returns a signal along 
input line 64 received by conventional input circuitry 66 
understood in the art. The input signal on input line 64 
may be digital or analog and converted to digital signals 
according to well known analog to digital conversion 

55 techniques and provided to circuitry 69 which may per- 
form processing according to an internal stored pro- 
gram and may transmit relevant data from the input 
through isolator 60 onto data lines 56 and ultimately to 
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processor 16'. The digital circuitry 69 typically includes 
a microprocessor operating at standard logic levels of 
approximately five volts and thus can be made intrinsi- 
cally safe when powered from the intrinsically safe 
power 50 (shown in Fig. 3). s 

The output line 62 may be powered by a switching 
power supply 68 nominally regulated to a predeter- 
mined voltage level (e.g., 19 volts) higher than that pro- 
vided by the intrinsically safe power source 50 The 
switching power supply 68 thus provides a step up of w 
voltage either through an associated transformer. The 
output of the switching power supply 68 is in series with 
a current limiting resistor 70 which in turn connects with 
output line 62. The current limiting resistor 70 provides 
current limiting to control point 36 in the event of a fault is 
which might increase current levels beyond intrinsically 
safe levels. The current limiting also ensures that suffi- 
cient power remains for operation of the other circuitry 
of the industrial controller 12'. 

In order to reduce power dissipation in the module 20 
14' and possible failure of components or undesirable 
temperature rise, a sensing lead 72 is attached at resis- 
tor 70 to provide a reading of current flow to the control 
points 36 (via voltage drop across resistor 70). The 
switching power supply is further regulated to limit the 25 
power dissipation across resistor 70 by lowering its out- 
put voltage appropriately in response to the sensed cur- 
rent. Curve 73 (shown in Fig. 6) may be used to derive 
the resistance value for resistor 70 so that the power on 
output line 62 always remains beneath the curve 73. 30 
The switching power supply 68 limits the actual dissipa- 
tion in the resistor 70 and operates in a class D mode 
and thus produces relatively low power dissipation itself 
regardless of its output voltage. Such switching regula- 
tors are well known in the art. 35 

The switching power supply 68 may be also control- 
led by the logic circuitry 69 so that several levels of fault 
may be detected and responded to, each level fault pro- 
viding a limiting of current by the switching power supply 
68 based on monitoring of resistor 70. If monitoring of 40 
resistor 70 indicates excessive power draw by the con- 
trol point 36, the output voltage will be reduced and then 
after a predetermined time, increased again to see 
whether the additional power drain has been eliminated. 
If not, the output voltage will again be limited. Multiple 45 
occurrences of limiting within a predetermined period of 
time will cause a fault condition reported to the user with 
a shutting down of the output. Nevertheless, momentary 
paths of low resistance as may be caused by techni- 
cians measuring voltage with low impedance devices so 
can be accommodated safely without a fault condition. 

In similar manner, depending on exact functional 
requirements of module 26', the switching power supply 
may monitor the output voltage to provide just sufficient 
levels to ensure proper operation of control point 36 but ss 
no more that may cause excessive power loss and tem- 
perature rise within module 26'. 

Referring now to Figs, 2, 3 and 4, the placing of the 



controller contained in I/O rack 24* in the hazardous 
area 20, as mentioned, requires safe passage for non- 
intrinsically safe power 44 such as may be provided by 
a shielding technique and for passage of the serial link 
28 to 28'. These two passages in the hazardous area 20 
are all that is required for an arbitrarily large number of 
intrinsically safe control points 36, that is, control points 
36 that can be actuated or that provide for the detection 
of signals using intrinsically safe levels of electrical 
power. 

Unlike the non-intrinsically safe power 44 which 
must be shielded with shielding 46, the present inven- 
tion makes the entire serial link 28' to 28 intrinsically 
safe by limiting the power that may be placed on the 
serial link 28' to 28 and the power may be extracted from 
the serial link 28' to 28. In this way, the serial link 28* to 
28 may pass freely in and out of the hazardous area 20 
and may be used to connect multiple remote I/O racks 
24' within the hazardous area 20 and to non-intrinsically 
safe equipment Alternately, to simplify the require- 
ments on the non-intrinsically safe equipment generally 
needing to be connected to serial link 28' to 28, a single 
intrinsically safe penetration circuit 34 may be used 
when passing serial link 28' to 28 from the hazardous 
area 20 to the non-hazardous area. It significant that 
this single penetration circuit is a convenience for the 
design and use of other devices in the non-hazardous 
area and does not materially affect the utility of the 
serial link, since logically the network is contiguous. 

Referring to Fig. 3, communication module 30' 
receives intrinsically safe power through isolator 58 and 
intrinsically safe data from the backplane 52. The com- 
munication module includes a digital logic section 74 
providing connected message decoding and translation 
between serial data on serial link 28' and the data struc- 
ture of the backplane 52. Digital logic section 74 does 
not communicate directly with serial link 28' but only 
indirectly through protection circuitry 76. 

Referring to Fig. 4, protection circuitry 76 receives 
serial data along lines 78 from digital logic section 74 for 
transmission on serial link 22' and receives data from 
serial link 28' to be transmitted to digital logic section 74 
on line 78. Circuitry 76 also receives a source of intrin- 
sically safe power 80 from the isolator 58. The data on 
line 78 and on serial link 28' is high speed and uses a 
five MBaud deterministic network protocol using con- 
nected messaging such as is understood in the art. 

The data or line 78 passing to serial link 28' is first 
received by high pass filter 82 having a break point at 
approximately one megahertz so as to limit the power 
contributed by low frequency components of the data. 
Applicants believe that low frequency power is more 
likely to provide combustible arcing than high frequency 
power because the short duration of arcing at extremely 
high frequencies carries insufficient energy in each arc 
to begin the combustion process and does not accumu- 
late between arcing cycles. Nevertheless, the inventors 
do not wish to be bound by this particular theory. 



6 



11 



EP 0 883 044 A2 



12 



Whereas a serial communication channel could be 
made intrinsically safe by lowering its power to 
extremely low levels, there is a direct relationship 
between the speed of information transfer and power 
needed for that transmission. This relationship results 5 
generally from transmission line impedances and back- 
ground noise in any communication channel. By band 
limiting the data on the serial link 28', higher powers 
may be used while still providing intrinsic safety. 

The data is next received by power control circuitry 10 
84 which places limits on the voltage and current of the 
data and also boosts the band limited data in power 
appropriate for the communication speeds. This cir- 
cuitry may include conventional amplification electron- 
ics receiving intrinsically safe power 80 accompanied is 
with current and voltage limiting circuits, i.e. shunting 
Zener diodes. The power control circuitry 84 is followed 
by a galvanic isolator 86 which is a saturable core trans- 
former providing further current limiting and isolation by 
virtue of the insulated transformer gap. This transformer 20 
is followed by additional passive voltage limiting circuitry 
again being shunting Zener diodes in the preferred 
embodiment. A final high pass filter 81 and then is 
attached to serial link 28\ 

Data is both transmitted and received through the 2s 
circuitry 76 limiting both the power transmitted to and 
received from the serial link 28*. 

All connections to the communication serial link 28' 
to 28 both in and outside the hazardous area 20 may be 
similar to that provided by circuitry 76. However, as 30 
stated earlier for convenience the serial link 28' to 28 
passes through a penetration circuit in the preferred 
embodiment. Thus the present invention provides a 
high speed yet intrinsically safe serial communication 
network which significantly reduces the number of pen- 35 
etrations into the hazardous area by employing a high 
data rate suitable for the control of many control points 
36 in the hazardous area 20. 

Referring again to Fig. 2, on occasion it may be 
necessary to actuate a control point 42 employing 40 
power levels that are not intrinsically safe and thus 
which must be shielded by explosion-proof housing 40. 
While such control points 42 may be controlled by non- 
intrinsically safe equipment, for example, an optional 
external controller 12, or by using a separate I/O rack 45 
communicating with I/O rack 24' via a communication 
module 30' and an intrinsically safe penetration circuit 
34, this approach is cumbersome especially where only 
a single or a few hazardous control points must be con- 
trolled as it requires a costly network connection to the so 
link 28'. It also may be desirable to place the control 
hardware adjacent to the hazardous control point 42 
rendering the option of using the controller 12 impossi- 
ble. Generally intrinsically safe modules 14* may not be 
mixed with non- intrinsically safe modules (i.e., modules 55 
controlling high powers) because of the risk of faults 
between intrinsically safe modules 14' and non-intrinsi- 
cally safe modules 14. 



Accordingly, the present invention permits the use 
of a bus isolator module 92 which may extend the back- 
plane 52 of the intrinsically safe I/O rack 24* to attach to 
a non-intrinsically safe I/O module 14. The non-intrinsr- 
cally safe I/O module 1 4 may control the number of con- 
trol points 95 in the non-hazardous area and the 
hazardous control point 42. 

Referring now also to Fig. 7, the bus isolator mod- 
ule 92 employs connectors 94' that may connect onto 
standard connectors used to extend the backplane 52' 
when additional modules 14 are to be placed on an I/O 
rack 24. One connector 94' attaches to backplane 52' 
and in particular to the data lines 56' to transmit those 
data lines to a galvanic isolator 96 on the bus isolator 
module 92. In this case, the galvanic isolator may be 
simply series capacitances, one for each conductor 
however inductive (transformer) type isolation may also 
be used as well as optical type isolators. The galvanic 
isolator 96 provides the signals to a second connector 
94 which may connect to a backplane 52 attached to a 
non-intrinsically safe module 14". The power lines 54' of 
the backplane 52' are not transmitted by the bus isolator 
module 92 but instead new safe power lines 54 are gen- 
erated from a source of non-intrinsically safe power 98 
received by isolator/power limiter 100 similar to isolator 
48 previously described. This isolator/power limiter 100 
provides power lines 54 to connector 94 to the module 
14". 

The power from isolator/power limiter 100 primarily 
is used to provide backplane power lines 54, however 7 
small amounts of the power may be used for buffer 
amplifiers to extend the distance between backplane 52' 
and backplane 52 over the cables of the bus isolator 
module 92. 

The bus isolator module 92 is extremely simple in 
construction and allows the mixing of intrinsically safe 
and non-intrinsically safe modules on what is logically 
the same I/O rack 24' (i.e., it appears from the serial link 
28' to be one rack). Additional communication circuitry 
and backplane decoding is thus not required as would 
be the case if serial link 28 were used as the connecting 
medium. 

Generally, an intrinsically safe module 14' once 
used with unprotected power may never again be used 
as an intrinsically safe module as a result of possible 
history of stressing that may have compromised its 
intrinisically safe quality. The bus isolator module 92 
logically allows intrinsically safe modules 14' to be 
mixed with non-intrinsically safe modules 14 while phys- 
ically keeping them separated. 

Referring now to Fig. 8, the bus isolator module 92 
may be used to connect an intrinsically safe I/O rack 24' 
in a hazardous area 20 to a non-intrinsically safe I/O 
rack 24 in the non-hazardous area with the non-intrinsi- 
cally safe power 98 received by the bus isolator module 
92 in the non-hazardous area used to power the mod- 
ules 14 used to control non-intrinsically safe control 
points. A single communication module 30' in the haz- 
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ardous area 20 receives serial link 28' and provides 
decoding both for I/O racks 24' and 24. 

Alternatively as shown in Fig. 9, a serial link 28 may 
be received by I/O rack 24 having a communication 
module 30 and a number of functional modules 14 and 
the I/O rack 24 connected to the bus isolator module 92. 
The bus isolator module 92 may receive a source of 
non-intrinsically safe power 98 in the non-hazardous 
area and convert that power to intrinsically safe power 
to be forwarded through connector 94 to intrinsically 
safe I/O rack 24* not having a communication module 
30' or any connection directly with serial link 28'. Since 
the bus isolator module 92 is always located in the non- 
hazardous area, it is a simple matter to provide it with 
non-intrinsically safe power 98. Generally the bus isola- 
tor module 92 allows a cost effective means to mix 
intrinsically and non-intrinsically safe equipment in the 
same I/O group. 

Whereas the present invention allows high speed 
communication signals to be transmitted freely into haz- 
ardous areas 20 on standard copper media, it will be 
understood that the same techniques may be used with 
fiber optic-type communication devices. In the preferred 
embodiment the penetration circuit 34 shown in Figure 
2 connecting serial link 28' to 28 incorporates such a 
fiber optic technique. 

The above description has been that of a preferred 
embodiment of the present invention, it will occur to 
those that practice the art that many modifications may 
be made without departing from the spirit and scope of 
the invention. For example, some aspects of the inven- 
tion may be used even when the entire industrial con- 
troller is not in the hazardous area but, for example, 
where the I/O modules are in the hazardous area and 
the controller is outside of the hazardous area. In order 
to apprise the public of the various embodiments that 
may fall within the scope of the invention, the following 
claims are made. 

In summary, in accordance with the invention low 
voltage logic circuitry is used to permit an entire subsys- 
tem of an industrial controller to be placed within a haz- 
ardous environment to receive a high speed serial link 
and undertake the control of multiple control points with- 
out expensive and awkward long cable runs and electri- 
cally isolating circuits for each cable run. Energy and 
bandwidth limiting on the high speed link allows power 
levels commensurate with high data rates yet intrinsic 
safety of the media allowing it to freely pass in and out 
of the hazardous area. A mixture of intrinsically safe and 
non-intrinsically safe equipment on the same logical 
rack is allowed through a bus isolator providing isolated 
data communication in backplane fashion between 
modules while wholly isolating power transmission 
along the backplane. 

Claims 

1 . A bus industrial controller for use with an industrial 



controller having a first and second unit each hav- 
ing an internal multi-conductor bus communicating 
data and power between functional modules of the 
unit attached to the bus, the bus interface compris- 
5 ing: 

a first and second bus connector configured to 
mate to a first bus of the first unit and a second 
bus of the second unit, respectively; 

io a galvanic isolator unit positioned between the 

first and second bus connectors providing elec- 
trical isolation across a plurality of conductor 
pairs between the first and second bus connec- 
tors for conducting data therebetween; 

15 an energy limiting power converter receiving an 

external source of electrical power and limiting 
the power at an output of the power converter 
to a level to avoid the generation of sparks with 
sufficient energy to ignite a flammable atmos- 

20 phere during a fault condition; the output of the 

energy limiting power converter connecting to 
the second bus connector for connecting power 
thereto and not to the first bus connector. 

25 2. The bus interface of claim 1 wherein the energy lim- 
iting power converter is selected from the group 
consisting of: saturatable core transformer, fuses, 
crowbar circuits, resistors, and Zener limiting cir- 
cuits. 

30 

3. The bus interface of claim 1 wherein the galvanic 
isolator is selected from the group consisting of 
capacitive, inductive and optical isolators. 

35 4. A method of operating an industrial controller in a 
hazardous environment, the industrial controller 
comprising an intrinsically safe unit having reduced 
power levels unlikely to produce a spark sufficient 
to ignite a flammable atmosphere and a non-intrin- 

40 sicaily safe unit not having reduced power levels, 
the units each having an internal multi-conductor 
bus communicating data and power between func- 
tional modules of the unit attached between the bus 
and control points of an industrial process, the 

45 method comprising the steps of: 

(a) placing the intrinsically safe unit in the haz- 
ardous area to control portions of the process 
therein; 

so (b) extending the bus of the intrinsically safe 

unit outside the hazardous area to attach the 
bus to a first bus connector of a bus interface, 
the bus interface having: 

55 (i) the first and a second bus connector 

configured to mate to a first bus of the 
intrinsically safe unit and a second bus of 
the non-intrinsically safe unit, respectively; 
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(ii) a galvanic isolator unit positioned 
between the first and second bus connec- 
tors providing electrical isolation across a 
plurality of conductor pairs between the 
first and second bus connectors for con- 5 
ducting data therebetween; 

(iii) an energy limiting power converter 
receiving an external source of electrical 
power and limiting the power at an output 

of the power converter to a level to avoid 10 
the generation of sparks with sufficient 
energy to ignite a flammable atmosphere 
during a fault condition, the output of the 
energy limiting power converter connect- 
ing to the second bus connector for con- is 
necting power thereto and not to the first 
bus connector; 

(c) connecting the bus of the non-intrinsically 
safe unit to the second bus connector; and 20 

(d) providing non-intrinsically safe power to the 
energy limiting power converter as the external 
source of power. 

5. The method of claim 4 wherein the intrinsically safe 2s 
and non-intrinsically safe units communicate data 
to a central controller located in a non-hazardous 
area via a serial link and including the step of: 

attaching the serial link to the non-intrinsically 30 
safe unit and transferring data to the intrinsi- 
cally safe unit via the bus interface. 



(b) extending the bus of the intrinsically safe 
unit outside the hazardous area to attach the 
bus to a first bus connector of a bus interface, 
the bus interface having; 

(i) the first and a second bus connector 
configured to mate to a first bus of the 
intrinsically safe unit and a second bus of 
the non-intrinsically safe unit, respectively; 

(ii) a galvanic isolator unit positioned 
between the first and second bus connec- 
tors providing electrical isolation across a 
plurality of conductor pairs between the 
first and second bus connectors for con- 
ducting data therebetween; 

(iii) an energy limiting power converter 
receiving an external source of electrical 
power and limiting the power at an output 
of the power converter to a level to avoid 
the generation of sparks with sufficient 
energy to ignite a flammable atmosphere 
during a fault condition, the output of the 
energy limiting power converter connect- 
ing to the second bus connector for con- 
necting power thereto and not to the first 
bus connector; 

(c) connecting the bus of the non-intrinsically 
safe unit to the first bus connector; and 

(d) providing non-intrinsically safe power to the 
energy limiting power converter as the external 
source of power. 



6. The method of claim 4 wherein the intrinsically safe 8. 
and non-intrinsically safe units communicate data 35 
to a central controller located in a non-hazardous 
area via a serial link and including the step of: 



The method of claim 7 wherein the intrinsically safe 
and non-intrinsically safe units communicate data 
to a central controller located in a non-hazardous 
area via a serial link and including the step of: 



attaching the serial link to the intrinsically safe 
unit through an isolation coupling and transfer- 40 
ring data to the non-intrinsically safe unit via 
the bus interface 

7. A method of operating an industrial controller in a 
hazardous environment, the industrial controller 45 
comprising an intrinsically safe unit having reduced 
power levels unlikely to produce a spark sufficient 
to ignite a flammable atmosphere and a non-intrin- 
sically safe unit not having reduced power levels, 
the units each having an internal multi-conductor so 
bus communicating data and power between func- 
tional modules of the unit attached between the bus 
and control points of an industrial process, the 
method comprising the steps of: 

55 

(a) placing the intrinsically safe unit in the haz- 
ardous area to control portions of the process 
therein; 



attaching the serial link to the non-intrinsically 
safe unit and transferring data to the intrinsi- 
cally safe unit via the bus interface. 

9. The method of claim 7 wherein the intrinsically safe 
and non-intrinsically safe units communicate data 
to a central controller located in a non-hazardous 
area via a serial link and including the step of: 

attaching the serial link to the intrinsically safe 
unit through an isolation coupling and transfer- 
ring data to the non-intrinsically safe unit via 
the bus interface. 
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